follow me on Twitter

    Wednesday, August 27, 2008

    Day 2 of Defcon 16

    I began today with Don Blumenthal's talk about working with law enforcement. He's really a good speaker: he's accurate with this tech and legal info. and he approaches the issues from direct perspective. He's right when he recommended that if a warrant is given, don't screw with law enforcement. Know your rights, but don't try to mislead them if they have properly requested materials.

    Scott Moulton talked about how, in a few states, one needs a private investigator's license to do computer forensics. I had never heard about these laws before, but it's shocking. Being a licensed PI in itself doesn't qualify one to work with electronic evidence, do computer forensics, or do audits for clients. In addition to the long apprentice training required, the PI exam is mostly composed of questions about guns and guard dogs.

    After I returned to Maine, I mentioned Moulton's talk at a TechMaine meeting of information security and network and sys. admin. professionals. Only one person had heard of this scary legislation, but we all agreed that before it could be proposed in Maine, we should let our legislators know that we won't accept it. It seems as if, in the other states with these laws, the legislation was quickly passed without the info. security groups knowing what was going on. Thanks to Moulton's talk, we'll be on top of this before the PI lobbying group gets to our state. That law would put a lot of good people out of work. And as if tech jobs are even easy to come by in this state!

    After Moulton's presentation, I went to get lunch in the contest room. I was delighted that Mycurial sat down next to me. I saw him present at The Last HOPE. We discussed how he won't let his employees at a large bank take their business laptops across the US boarder because of the laptop searches and seizures being done by US Customs. The policies allow for officers to take laptops for a “reasonable period of time” to “review and analyze information.” There are (shockingly!) no requirements for reasonable suspicion. I learn about stuff like that and wonder where our civil liberties are going and who's making and passing this legislation?

    In an e-mail Mycurial sent me, he said, “There has not yet been a National response from the Privacy Commissioner of Canada, but I'm not sure how long that might or might not take. In the interim, we just don't outsource data to the states.” He has bank employees take wiped hard drives through Customs and then download the data they need through an encrypted network after they've cleared Customs.

    After finishing lunch and discussing data storage laws (If you store your short-term memory on your hard drive because of a medical condition, should that stored data have a higher level of protection (think Johnny Mnemonic) ? What about for search and seizure protocols?), I slipped into the “Ask the EFF Panel.” However, the panel was canceled. The MIT students were slapped with a temporary restraining order prohibiting them from talking about their security research at MIT. Massachusetts Judge Woodlock really misjudged this one. Read Bruce Schneier's article (link above) because it's a good opinion article about why full disclosure of computer security issues is good for the computer industry. When the norm used to be to quietly tell the vendor, many vendors used the fallible “security through obscurity” routine and do nothing.

    Last, but not least, I went to “The Commission on Cyber Security for the 44th President.” The Center for Strategic and International Studies has a policy group composed of a myriad of professionals who wrote a security plan to be given to the next US President. Ed Felten is among a long list of impressive contributors. Someday I hope to be a part of a policy group such as CSIS.

    I know that I let down my Hacker Space group, but they requested a lot of pictures of the Grendel mobile hacker space van. I went outside a few times, but it was locked every time. However, I was able to get one picture of it (above, top of blog).

    The highlight of my day was being asked by a very nervous teen if I was Michelle Madigan. Huh? She was the Dateline NBC reporter who was run out of Defcon 15 last year. She refused to get a press pass but was trying to secretly film evil hackers breaking stuff. However, rumor was that it was a Fed who outed Madigan. Some of the Feds are working undercover and they didn't want to show up on a hidden camera on Dateline, either. I wonder what would have happened if I'd said, “Yes”? It would have been fun.

    No comments: